On 19 December 2019, the European Commission (Commission) launched a public consultation on a digital operational resilience framework for financial services. The consultation, which was published in parallel with a separate consultation on crypto assets, comes as the Commission is working towards a new Digital Finance Strategy. The aim of the strategy would be to promote digital finance in the EU while regulating the risks stemming from it in an adequate manner. The consultation at hand will inform the Commission on the development of a potential EU cross-sectoral digital operational resilience framework in the field of financial services. The public consultation remains open until 18 March 2020
The Commission is of the view that, although the EU has already worked on horizontal policies setting cybersecurity standards for the economy as a whole, the increased risks facing the financial sector warrant the EU to develop more specific and more advanced actions that go beyond the horizontal framework. Currently, financial services regulation already includes a number of provisions regulating information and communications technology (ICT) and security risks, but the Commission considers that these are fragmented in terms of scope, granularity and specificity. In order to make the framework work more efficiently and effectively, the Commission thinks that it is essential that financial supervisors work in a harmonised and convergent framework across Member States and different parts of the financial sector. In the light of this, the Commission is looking for stakeholder views on the following aspects:
- targeted improvements of ICT and security risk management requirements across EU financial services legislation in order to reinforce the level of digital operational resilience of all main financial sectors regulated by EU financial services law;
- the harmonisation of ICT incidents reporting through the clarification and complementation of these rules with provisions that facilitate a better monitoring and analysis of ICT and security-related risks;
- the development of a digital operational resilience testing framework across all financial sectors, which would anticipate threats and improve the digital operational readiness of financial actors and supervisory authorities;
- rules creating a better oversight of certain critical third-party ICT providers on which financial institutions rely and outsource functions to; and
- arrangements promoting effective information sharing on ICT and security threats among financial market participants and promoting increased cooperation among public authorities.
The consultation launched by the Commission is a follow-up to its March 2018 FinTech Action Plan and comes as many national and international regulators are assessing the risks arising from the digitalisation of the financial services sector. On an international level, the Financial Stability Board published two reports on financial stability risks stemming from BigTechs and cloud services providers in December 2019.
The Joint Committee of the European Supervisory Authorities, consisting of the European Systems and Markets Authority, the European Banking Authority and European Insurance and Occupational Pensions Authority, have also published a report on the ICT risk management and cyber security in April 2019 in order to provide input to the Commission’s approach on the subject. On the national level, the UK House of Commons Treasury Committee published a report on IT failures in financial services, in which it called upon national regulators and the UK government to step up their efforts to address IT failures and poor operational resilience of firms.